Open in app

Sign in

Write

Sign in

Understanding TLS : An encryption based security protocol (Part 1)

Arunkumar PP
16 min readOct 2, 2023

--

In the modern digital world, most of our data are either stored in a certain data-center or constantly flowing across the vast internet. Where the data can be a sensitive content like passwords, credit card numbers and even some other personal information’s.
Originally, data on the web were transmitted in plain text that anyone could read if they intercept the message, as back in those days online securities are not much focused as of today.

SSL (Secure Socket Layer) were created to correct this problem, a security protocol which wraps the data in an impenetrable layer of protection, ensuring that the sensitive information’s remain confidential and secure as it travels across the internet.

Through this article let’s understand how SSL/TLS plays the crucial role of protecting data in transit securely.

Introduction to TLS

TLS (Transport Layer Security) is an encryption-based security protocol, ensuring a secure transmission of data over internet. Which performs a primary purpose in establishing a secure and encrypted connection between a user’s web browser (client) and a web-server.

The security layer was initially developed by Netscape in the year 1995 as SSL (Secure Socket Layer). Where the SSL development-right was later migrated to IETF (Internet Engineering Task Force) in the year 1999 renaming the protocol from SSL to TLS.

Evolution from SSL to TLS over the years.

TLS (Transport Layer Security) is the direct successor to SSL, and all versions of SSL are now deprecated. However, it’s common to find the term SSL describing a TLS connection. In most cases, the terms SSL and SSL/TLS both refer to the TLS protocol and TLS certificates.

Key Functions of SSL/TLS

Confidentiality, Integrity, and Authentication are the major functions of TLS protocol, which ensures the Security of our data in transit.

Confidentiality: TLS uses Encryption to ensure that data transmitted between a client and a server remains confidential and cannot be easily interpreted by malicious actors.
SSL/TLS typically uses the combination of both Symmetric and Asymmetric encryption to ensure that data remain secure while in transit.

Integrity: TLS ensures the Integrity of data by using message digests, which are cryptographic hash functions. Before any data is sent, it is hashed, and the hash value is sent alongside the data. When a recipient receives the data, they also compute a hash of the received data and compares the match. If they don’t match, it indicates that the data has been tampered during transmission.
Apart from Hashing, Digital Signatures are also used to verify the authenticity and integrity of data.

Authentication: TLS verifies the identity of websites, ensuring that you connect to the legitimate server for added security. This involves process of Server Authentication and Client Authentication.
Which helps in avoiding miss communication between wrong client and servers.

The SSL/TLS protocol are located between the application layer and the Transport layer in TCP/IP model(Internet Protocol Suite), where they can secure and send application data to the transport layer. Since the protocols work between the application layer and the transport layer, TLS and SSL can support multiple application layer protocols.

Use cases of TLS:

SSL/TLS are commonly used by web browsers to protect connections between web applications and web servers. Since the protocols work between the application layer and the transport layer, TLS and SSL can support multiple application layer protocols such as:

  • HTTPS (Hypertext Transfer Protocol Secure): This is the secure version of HTTP used for secure web browsing. When you see “https://” in a URL, it indicates that SSL/TLS is being used to encrypt the data transmitted between your browser and the web server.
  • SMTPS (Simple Mail Transfer Protocol Secure): SSL/TLS can be used to secure email communication between a client and a mail server. SMTPS is the secure version of SMTP used for sending and receiving emails.
  • IMAPS (Internet Message Access Protocol Secure): IMAPS is the secure version of IMAP, which is used for retrieving emails from a mail server. It uses SSL/TLS to encrypt email communication.
  • POP3S (Post Office Protocol 3 Secure): POP3S is the secure version of POP3, which is used for retrieving emails from a mail server. It also uses SSL/TLS for encryption.
  • FTPS (File Transfer Protocol Secure): FTPS is a secure version of FTP that uses SSL/TLS for encrypting file transfers between a client and a server.
  • LDAPS (LDAP Secure): LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory services. LDAPS adds SSL/TLS encryption to LDAP for secure directory access.
  • XMPPS (Extensible Messaging and Presence Protocol Secure): XMPP is a communication protocol often used for instant messaging and presence information. XMPPS incorporates SSL/TLS for secure communication.
  • Secure VPN Protocols: Many VPN (Virtual Private Network) protocols, such as OpenVPN and SSTP, use SSL/TLS to secure the tunnel between the client and the VPN server.
  • Secure Web Socket (WSS): Web Socket is a protocol that enables full-duplex communication between a client and a server. When it’s secured with SSL/TLS, it’s referred to as WSS for Web Socket Secure.
  • Secure Database Connections: Some database systems, like MySQL and PostgreSQL, allow for SSL/TLS encrypted connections to enhance the security of data transmission between clients and the database server.

Usage of different SSL/TLS versions over years:

November-2014

Until the year of 2014 usage of SSL v3.0 was seen equally to TLS v1.0, Till vulnerability CVE-2014–3566 “POODLE” was exploited.

November-2015

Exactly after a year of vulnerability exploit of CVE-2014–3566 lead to major downfall of SSL v3.0 usage in the upcoming years.

September-2023

Currently in the year 2023 TLSv1 .2 is found to be majorly supported among multiple servers. Whereas due to security issues and threat occurrence in versions TLSv1.0 and v1.1, they are currently deprecated in the year 2020. Where most of the clients and servers does not support the older versions and forced to update to current versions v1.2 and v1.3.
In the year 2018 TLSv1.3 was introduced with even more security update.
Currently among the most used versions, TLSv1.2 is majorly found due to compatibly over legacy clients and servers, and regulatory compliance compared to v1.3.

HTTP vs HTTPS

HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are the well-known protocols commonly used for transmitting data over the internet. Let’s have an insight over the differences between the protocol for better understanding the influence of SSL/TLS security perspective.

HTTP (Hypertext Transfer Protocol) : It’s the standard protocol used for most web pages. HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers in the network protocol stack.
HTTP URLs begins with “http://” and uses port 80 by default.

For better understanding the HTTP based non-secure data transfer. Let’s conduct an interception activity on a test login page.

Tool Used: Wireshark (A well-known network protocol analyzer tool)

Test page: http[:]//testphp[.]vulnweb[.]com/login.php (Test site hosted by acunetix).

Scenario 1: Login.

Demo login page

A login attempt was made on the web page with HTTP protocol. With the credentials provided in the site.

Login Intercepted.

Wire shark interception result for login initiated

From the above image, we can see the login credentials used for login activity is transmitted as clear text. Providing the attacker to have a clear view over the login credentials used for login purpose.

Scenario 2: Data update.

Admin data entry.

A data entry for admin with sensitive information has been added to the domain and update was initiated.

Update Intercepted.

Wire shark interception result of all data updates.

All the data update occurred in the web page has been leaked from a basic eavesdropping technique activity, while in transit. This could cause a threat of Data leak and manipulations.

From the above scenarios, we can understand the weaknesses in the Web pages hosted on HTTP protocol without any additional security layer over the data in transit, which had the major threat behavior of data leak and manipulations. These issues were solved after the inclusion of SSL/TLS encryption-based security protocol.

HTTPS, on the other hand, adds a layer of security by encrypting the data transmitted between your browser and the web server. This encryption is achieved using SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols, making it extremely difficult for malicious actors to intercept or manipulate the data in transit.

Encrypted data transmission, impossible for a eavesdropper to understand.

From the similar sniffing activity using WireShark tool. Data transferred over the internet using HTTPS protocol are encrypted and unable to intercept.

In summary, HTTP is the older and less secure protocol, HTTPS provides a secure and encrypted connection, making it essential for protecting sensitive information like login credentials, payment details, and personal data when browsing the web. Nowadays, it’s not only a best practice but also a standard for secure internet communication.

HSTS: (HTTP Strict Transport Security)

HSTS, or HTTP Strict Transport Security, is a web security policy mechanism that helps protect websites and their users from certain types of cyberattacks, particularly those involving man-in-the-middle (MITM) attacks. When a website implements HSTS, it instructs web browsers to always use a secure HTTPS connection when communicating with the site, even if the user initially types “http://” in the URL. This prevents attackers from downgrading the connection to an unencrypted HTTP version, enhancing the overall security and privacy of web interactions. HSTS is a vital tool for safeguarding against eavesdropping and data interception on the internet.

HSTS action towards an HTTP request made.

From the above image, we can see connection attempt with “http://” request been internally redirected and browsers are instructed to make “https://” request under HSTS reason.

Understanding the Web Request process: How a browser fetches a Web content.

In this topic let’s understand how the web request process is occurring behind the user’s screen. Whenever a user makes his web request through his browser the data/web page is rendered through a lot of process, let’s unravel the sequence of events occurring when a client (such as web browser) communicates with a web server to request and receive a web content.

Steps involved in each web requests.

  1. URL Parsing
  2. DNS Resolution
  3. TCP connection Establishment
  4. HTTP Request
  5. Server Processing
  6. HTTP Response
  7. Rendering and Resource Landing
  8. Connection Closure.

1. URL parsing

The Process begins when a user interacts with a Web browser, such as typing URL (Uniform Resource Locator) into the address bar or clicking on a link.

URL parsing involves breaking down a URL into its various components, such as the protocol, domain name, port, resource path and query parameters.

URL components.

From our Test URL: http[:]//testphp[.]vulnweb[.]com/login.php following are the key components obtained by Parsing the URL.

  • Protocol: http (Indicating URL is using Hypertext Transfer Protocol for communication).
  • Domain name: testphp.vulnweb.com (The Domain name/Host name of the Web server to which the client server is going make request).
  • Port: (Since no Port is mentioned, port 80 is taken by default based on protocol)
  • Resource Path: /login.php (Resource path specifies the resource or the page the browser is requesting the Server to render).
  • Query Parameters: (There are no specified query parameters in the given URL, So the browser takes parameter “?” by default).

2. DNS Resolution

DNS (Domain Name system) is the phone book of the internet. To access website by its domain name, the browser needs to find the corresponding IP address, as the Web browser interacts with servers based on its IP address. DNS translates domain names to IP addresses so browsers can load Internet resources.

DNS Look up
The main purpose of DNS is associated with conversion of Domain name into the appropriate IP address of the server/endpoint. To learn how this process works, it helps to follow the path of a DNS lookup as it travels from a web browser, through the DNS lookup process, and back again. Let’s look at the steps.

Steps involved in DNS look up.

Pictorial representation of DNS look-up process
  1. User types “testphp.vulnweb.com” into a web browser and the query travels into the Internet and is received by a DNS recursive resolver. (DNS resolver are the actual service that performs further steps and render data to the Web browser).
  2. The resolvers then queries a DNS root nameserver (.).
  3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server (such as .com or .net) which stores the information for its domains. When searching for testphp.vulnweb.com, our request is pointed toward the .com TLD.
  4. The resolver then makes a request to the .com TLD.
  5. The TLD server then responds with the IP address of the domain’s name server, testphp.vulnweb.com.
  6. Lastly, the recursive resolver sends a query to the domain’s nameserver.
  7. The IP address for testphp.vulnweb.com is then returned to the resolver from the name server.
  8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially.

    Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser is able to make the request for the web page:
  9. The browser makes a HTTP request to the IP address.
  10. The server at that IP returns the webpage to be rendered in the browser (step 10).

DNS Resolver:

The DNS resolver is the first stop in the DNS lookup, and it is responsible for dealing with the client that made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address.

Ongoing DNS Query and DNS Response between Client device and DNS resolver.
DNS response from the DNS resolver to Client (Web browser)

Browser initiates a DNS look up by sending a query to a DNS resolver. The DNS resolver may have the IP address cached or recursively queries other DNS servers until it finds the IP address associated with the domain name.

3. TCP Connection Establishment

With the IP address known, the browser initiates a TCP (Transmission Control Protocol) connection to the web-server.

TCP is a connection-oriented protocol, and every connection-oriented protocol needs to establish a connection to reserve resources at both the communicating ends.

TCP 3-Way Handshake: 3-way handshake is a fundamental process in TCP (Transmission Control Protocol) for establishing a reliable connection between two devices over a network. It ensures that both the sender (client) and the receiver (server) are ready to transmit data and synchronises their initial sequence numbers (ISNs) for reliable communication.

3-way handshake diagram representation.

3-way Handshake working process:

  • Step 1: SYN (Synchronize) In the first step, the client wants to establish a connection with a server, so it sends a segment with SYN(Synchronize Sequence Number) which informs the server that the client is likely to start communication and with what sequence number it starts segments with.
  • Step 2: SYN+ACK(Synchronize + Acknowledge) Server responds to the client request with SYN-ACK signal bits set. Acknowledgement(ACK) signifies the response of the segment it received and SYN signifies with what sequence number it is likely to start the segments with
  • Step 3: ACK (Acknowledge) In the final part client acknowledges the response of the server and they both establish a reliable connection with which they will start the actual data transfer.
3-way handshake connection establishment between client and server

The main purpose of 3-way handshake is to ensure that both parties are aware of each other’s intent to establish a connection. And to verify that both sides are capable of sending and receiving data.

4. HTTP Request

Once the Secure connection is established with the web server. An HTTP request are the part web communication. HTTP request are the message sent by a client (Web browser) to a server, requesting a specific action or resource.

HTTP Request

Key components and structure of HTTP requests.

  • HTTP Methods:
    The HTTP method specifies the type of action the client wants to perform on the resource. Also referred as HTTP verbs. Common methods:
    GET: Used to retrieve data from server.
    POST: Submit data to the server.
    PUT: Update resource on server.
    DELETE: Requests for removal of data.
    HEAD: Retrieve only headers, Similar to Get method, but without it’s body.
    PATCH: Applies partial modifications to resources.
    OPTIONS: Describes the communication option for the target resources.
    CONNECT: Establishes a tunnel to the server identified by the target resource.
  • Resource path: Resource path indicates the specific location or path to the resource in the server. Paths are usually mentioned after the Domain name in the URL.
    Example www.test.com/sub1/sub2 : where /sub1/sub2 is the resource path.
  • HTTP version: This indicates the version of the HTTP protocol being used.
  • Headers: Headers provide additional information about the request, including metadata and instructions. Some common header includes.
    — Host: Specifies Domain name of the server.
    — User-Agent: Identifies the client, often indicating browser type.
    — Content-Type: Specifies the format of data sent in the request.
    — Authorization: Contains credentials or tokens for authentication.
  • Request Body: (for Put and Post request):
    POST and PUT requests may include a request body, where data is sent to the server. The format of the data depends on ‘content-type’ header. Whereas GET request do not need body.

5. Server Processing

After request made, the web server receives the HTTP request and process it. This may involve database queries, dynamic content generation, or simply retrieving static files.

The server then generates an HTTP response which includes:

  • Status Code indicating the outcome of the request.
  • Response headers including content type, date, server information and more.

6. HTTP Response

The server after processing the request will send a response.
A response contains a response code (indicating the success and failure of requests), set of headers and body.
GET requests respond with the requested resource(s) whereas a POST request may respond with success indicator only, or it may respond with the fully populated resource which was inserted/posted.

HTTP response

Key components of HTTP response:

  • Status code: These codes indicate the success or failure of the requests. 3-digit codes classifying the class and category of response. Codes:
    1xx informational response — the request was received, continuing
    processing.
    2xx successful — the request was successfully received, understood, and
    accepted.
    3xx redirection — further action needs to be taken to complete the
    request.
    4xx client error — the request contains bad syntax or cannot be fulfilled.
    5xx server error — the server failed to fulfill an apparently valid request.
  • HTTP Headers: Response headers typically inform the client what type and encoding of the data is being returned.
  • Response Body: The body contains the data returned from the server. The body may be textual of in a binary format.

7. Rendering and Resource landing

The browser receives the HTTP response and begins processing it. It interprets HTML to structure webpage, applies CSS for styling and executes Java Script for interaction.

As the webpage gets rendered the browser may encounter additional resource request, such as image, scripts, style sheets, and external content. For each resource browser repeats the process from DNS resolution to Rendering, creating new connections, and fetching resources from the web servers or domains.

8. Connection Closure

After all necessary resources are loaded and the web page is displayed, the browser may keep the TCP connections open for short time in case user interacts with the page for further references.

Eventually connection gets closed through TCP termination process.

TCP termination process : The most common way of terminating a TCP connection is by using TCP header’s FIN flag. This mechanism allows each host to release its own side of the connection individually.

TCP termination process

Steps involved in TCP termination

  1. (FIN from Client): Suppose that the client application decides it wants to close the connection. (Even server could also choose to close the connection). This causes the client to send a TCP segment with FIN bit set to 1 to the server and enter in FIN_Wait_1 state, the client waits for a TCP segment from server for an acknowledgement.
  2. (ACK from server): Once the server receives a FIN bit segment from the client, server immediately sends acknowledgement (ACK) to the client.
  3. (Client Waiting): While in the FIN_WAIT state, the client waits for a TCP segment from the server with an acknowledgement. When it receives this segment, the client enters the FIN_WAIT_2 state. While in the FIN_WAIT_2 state, the client waits for another segment from the server with the FIN bit set to 1.
  4. (FIN from server): Server sends the FIN bit segment to the client after some time the Server sends the ACK.
  5. (ACK from Client): When the Client receives the FIN bit segment from the Server, the client acknowledges the server’s segment and enters the TIME_WAIT state. The TIME_WAIT state lets the client resend the final acknowledgment in case the ACK is lost. The time spent by clients in the TIME_WAIT state depends on their implementation, but their typical values are 30 seconds, 1 minute, and 2 minutes. After the wait, the connection formally closes and all resources on the client-side (including port numbers and buffer data) are released.

Key benefits of Connection termination

  • Connection closure.
  • Release of resources.
  • Freedom for new connections.
  • Ready for further requests.

Conclusion

Here we conclude the first part of Understanding TLS article, where we had a look around with Introduction and Use cases of TLS, Difference between data transmission over non-secure application protocol HTTP and secure HTTPS communications, Also a web request process involved between a Client (Web-browser) and the Server.

In the next part let’s explore even more information over the TLS protocol.

I thank you all who spent there valuable time in going through this article and found useful

Author: Arunkumar P P

Linkedin : Arunkumar P P

--

--

Arunkumar PP

Written by Arunkumar PP

11 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams